Good afternoon 🙂
We have an SSG350 in our main site, as the hub in our 'hub and spoke' VPN network. On one of our spokes, we are connecting to a Cisco 2611 via a policy based VPN. My issue is that we have two subnets in the hub (10.1.1.0/24 and 192.168.1.0/24).There is already a policy based VPN established to 10.1.1.0/24 and the spoke's subnet (10.1.78.0/24). Currently, I'm trying to allow traffic to pass over the existing VPN from the remote site to the additional subnet 192.168.0/24. This is the setup I have so far:
SSG350:
-Configured with one gateway, and two separate Phase 2 rules for this spoke (one for each proxy ID pair).
-Two sets of policies, one for each subnet.
Cisco 2611
-Tried adding the addtional subnet into existing access list for VPN
i.e. access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
How can I route traffic from the Cisco over the currently working VPN to an additional subnet on the Juniper side? Related config for each posted below...thanks in advance for any suggestions/links to point me in the right direction!!
Kara
Cisco 2611 edited config:
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXXXXX address 4.4.4.4
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
!
crypto map nolan 11 ipsec-isakmp
set peer 4.4.4.4
set transform-set sharks
match address 101
!
!
!
!
interface Ethernet0/0
no ip address
no ip directed-broadcast
no cdp enable
!
interface Serial0/0
no ip address
no ip directed-broadcast
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
ip address 5.5.5.5 255.255.255.248
no ip directed-broadcast
ip nat outside
no cdp enable
frame-relay interface-dlci 16 IETF
crypto map nolan
!
interface Ethernet0/1
ip address 10.1.78.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
ip nat inside source route-map nonat interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 5.5.5.4
!
access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.78.0 0.0.0.255 any
access-list 102 deny ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 102
!
SSG 350 Edited Config:
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "ERP"
set interface "ethernet0/2" zone "OPS"
set interface "ethernet0/3" zone "Null"
set interface ethernet0/0 ip 4.4.4.4/28
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 route
set interface ethernet0/2 ip 10.1.1.1/24
set interface ethernet0/2 route
set ike gateway "To-RDsite" address 5.5.5.5 Main outgoing-interface "ethernet0/0" preshare "XXXXXXXXXXXXXXXXXXXXXX" proposal "pre-g1-des-md5" "pre-g1-des-sha" "pre-g2-des-sha" "pre-g2-des-md5"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "RDsite VPN" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible
set vpn "RDsite ERP Traffic" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible
set vpn "RDsite VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 10.1.78.0/24 "ANY"
set vpn "RDsite ERP Traffic" proxy-id local-ip 192.168.1.0/24 remote-ip 10.1.78.0/24 "ANY"
set policy id 156 name "RDsite ERP Traffic" from "Untrust" to "ERP" "net_10.1.78.0" "net_192.168.1.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 155 log
set policy id 156
exit
set policy id 155 name "RDsite ERP Traffic" from "ERP" to "Untrust" "net_192.168.1.0" "net_10.1.78.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 156 log
set policy id 155
exit
set policy id 118 name "RDsite VPN" from "Untrust" to "OPS" "net_10.1.78.0" "net_10.1.1.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 117
set policy id 118
exit
set policy id 117 name "RDsite VPN" from "OPS" to "Untrust" "net_10.1.1.0" "net_10.1.78.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 118
set policy id 117
exit
set policy id 9 from "OPS" to "ERP" "net_10.1.1.0" "net_192.168.1.0" "ANY" permit
set policy id 9
exit
set policy id 10 from "ERP" to "OPS" "net_192.168.1.0" "net_10.1.1.0" "ANY" permit
set policy id 10
exit
#policy#SSG350#2611#site#vpn#based#multiple#2#to#Juniper#IPSec#subnets#cisco#phase